From ecebb2d57327efe9e353bf5028fbc3d238792a31 Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Fri, 14 Oct 2022 09:04:45 +0200
Subject: [PATCH] Rename system rules

---
 ...stallation.yml => win_system_anydesk_service_installation.yml} | 0
 ...carbonpaper_turla.yml => win_system_apt_carbonpaper_turla.yml} | 0
 ...er_mar18_system.yml => win_system_apt_chafer_mar18_system.yml} | 0
 .../{win_apt_stonedrill.yml => win_system_apt_stonedrill.yml}     | 0
 ...turla_service_png.yml => win_system_apt_turla_service_png.yml} | 0
 ..._installs.yml => win_system_cobaltstrike_service_installs.yml} | 0
 .../{win_eventlog_cleared.yml => win_system_eventlog_cleared.yml} | 0
 .../system/{win_hack_smbexec.yml => win_system_hack_smbexec.yml}  | 0
 ...rvices.yml => win_system_invoke_obfuscation_clip_services.yml} | 0
 ... => win_system_invoke_obfuscation_obfuscated_iex_services.yml} | 0
 ...vices.yml => win_system_invoke_obfuscation_stdin_services.yml} | 0
 ...ervices.yml => win_system_invoke_obfuscation_var_services.yml} | 0
 ...ml => win_system_invoke_obfuscation_via_compress_services.yml} | 0
 ....yml => win_system_invoke_obfuscation_via_rundll_services.yml} | 0
 ...s.yml => win_system_invoke_obfuscation_via_stdin_services.yml} | 0
 ...ml => win_system_invoke_obfuscation_via_use_clip_services.yml} | 0
 ...l => win_system_invoke_obfuscation_via_use_mshta_services.yml} | 0
 ...> win_system_invoke_obfuscation_via_use_rundll32_services.yml} | 0
 ...ces.yml => win_system_invoke_obfuscation_via_var_services.yml} | 0
 ...llation.yml => win_system_krbrelayup_service_installation.yml} | 0
 ...indicators_tabtip.yml => win_system_lpe_indicators_tabtip.yml} | 0
 .../{win_lsasrv_ntlmv1.yml => win_system_lsasrv_ntlmv1.yml}       | 0
 .../{win_mal_creddumper.yml => win_system_mal_creddumper.yml}     | 0
 ...eterpreter_or_cobaltstrike_getsystem_service_installation.yml} | 0
 .../{win_moriya_rootkit.yml => win_system_moriya_rootkit.yml}     | 0
 ...win_ntfs_vuln_exploit.yml => win_system_ntfs_vuln_exploit.yml} | 0
 .../system/{win_pcap_drivers.yml => win_system_pcap_drivers.yml}  | 0
 ...tem_possible_zerologon_exploitation_using_wellknown_tools.yml} | 0
 ....yml => win_system_powershell_script_installed_as_service.yml} | 0
 ...l => win_system_quarkspwdump_clearing_hive_access_history.yml} | 0
 ..._service_installs.yml => win_system_rare_service_installs.yml} | 0
 ...e_2019_0708.yml => win_system_rdp_potential_cve_2019_0708.yml} | 0
 ...win_service_hacktools.yml => win_system_service_hacktools.yml} | 0
 ...all_pdqdeploy.yml => win_system_service_install_pdqdeploy.yml} | 0
 ...runner.yml => win_system_service_install_pdqdeploy_runner.yml} | 0
 ...d.yml => win_system_service_install_susp_double_ampersand.yml} | 0
 ...ervice_installs.yml => win_system_sliver_service_installs.yml} | 0
 .../{win_susp_dhcp_config.yml => win_system_susp_dhcp_config.yml} | 0
 ...p_config_failed.yml => win_system_susp_dhcp_config_failed.yml} | 0
 ...win_susp_proceshacker.yml => win_system_susp_proceshacker.yml} | 0
 ...e_install.yml => win_system_susp_rtcore64_service_install.yml} | 0
 .../{win_susp_sam_dump.yml => win_system_susp_sam_dump.yml}       | 0
 ..._installation.yml => win_system_susp_service_installation.yml} | 0
 ...folder.yml => win_system_susp_service_installation_folder.yml} | 0
 ...ml => win_system_susp_service_installation_folder_pattern.yml} | 0
 ...script.yml => win_system_susp_service_installation_script.yml} | 0
 ...m_update_error.yml => win_system_susp_system_update_error.yml} | 0
 ... => win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml} | 0
 ...n_crash.yml => win_system_system_application_sysmon_crash.yml} | 0
 ...ender_disabled.yml => win_system_system_defender_disabled.yml} | 0
 ...> win_system_system_service_installation_by_unusal_client.yml} | 0
 ...og_cleared.yml => win_system_system_susp_eventlog_cleared.yml} | 0
 ...er_installation.yml => win_system_tap_driver_installation.yml} | 0
 .../system/{win_tool_psexec.yml => win_system_tool_psexec.yml}    | 0
 ...dow_copy_mount.yml => win_system_volume_shadow_copy_mount.yml} | 0
 ...win_vul_cve_2020_1472.yml => win_system_vul_cve_2020_1472.yml} | 0
 ...87.yml => win_system_vul_cve_2021_42278_or_cve_2021_42287.yml} | 0
 57 files changed, 0 insertions(+), 0 deletions(-)
 rename rules/windows/builtin/system/{win_anydesk_service_installation.yml => win_system_anydesk_service_installation.yml} (100%)
 rename rules/windows/builtin/system/{win_apt_carbonpaper_turla.yml => win_system_apt_carbonpaper_turla.yml} (100%)
 rename rules/windows/builtin/system/{win_apt_chafer_mar18_system.yml => win_system_apt_chafer_mar18_system.yml} (100%)
 rename rules/windows/builtin/system/{win_apt_stonedrill.yml => win_system_apt_stonedrill.yml} (100%)
 rename rules/windows/builtin/system/{win_apt_turla_service_png.yml => win_system_apt_turla_service_png.yml} (100%)
 rename rules/windows/builtin/system/{win_cobaltstrike_service_installs.yml => win_system_cobaltstrike_service_installs.yml} (100%)
 rename rules/windows/builtin/system/{win_eventlog_cleared.yml => win_system_eventlog_cleared.yml} (100%)
 rename rules/windows/builtin/system/{win_hack_smbexec.yml => win_system_hack_smbexec.yml} (100%)
 rename rules/windows/builtin/system/{win_invoke_obfuscation_clip_services.yml => win_system_invoke_obfuscation_clip_services.yml} (100%)
 rename rules/windows/builtin/system/{win_invoke_obfuscation_obfuscated_iex_services.yml => win_system_invoke_obfuscation_obfuscated_iex_services.yml} (100%)
 rename rules/windows/builtin/system/{win_invoke_obfuscation_stdin_services.yml => win_system_invoke_obfuscation_stdin_services.yml} (100%)
 rename rules/windows/builtin/system/{win_invoke_obfuscation_var_services.yml => win_system_invoke_obfuscation_var_services.yml} (100%)
 rename rules/windows/builtin/system/{win_invoke_obfuscation_via_compress_services.yml => win_system_invoke_obfuscation_via_compress_services.yml} (100%)
 rename rules/windows/builtin/system/{win_invoke_obfuscation_via_rundll_services.yml => win_system_invoke_obfuscation_via_rundll_services.yml} (100%)
 rename rules/windows/builtin/system/{win_invoke_obfuscation_via_stdin_services.yml => win_system_invoke_obfuscation_via_stdin_services.yml} (100%)
 rename rules/windows/builtin/system/{win_invoke_obfuscation_via_use_clip_services.yml => win_system_invoke_obfuscation_via_use_clip_services.yml} (100%)
 rename rules/windows/builtin/system/{win_invoke_obfuscation_via_use_mshta_services.yml => win_system_invoke_obfuscation_via_use_mshta_services.yml} (100%)
 rename rules/windows/builtin/system/{win_invoke_obfuscation_via_use_rundll32_services.yml => win_system_invoke_obfuscation_via_use_rundll32_services.yml} (100%)
 rename rules/windows/builtin/system/{win_invoke_obfuscation_via_var_services.yml => win_system_invoke_obfuscation_via_var_services.yml} (100%)
 rename rules/windows/builtin/system/{win_krbrelayup_service_installation.yml => win_system_krbrelayup_service_installation.yml} (100%)
 rename rules/windows/builtin/system/{win_lpe_indicators_tabtip.yml => win_system_lpe_indicators_tabtip.yml} (100%)
 rename rules/windows/builtin/system/{win_lsasrv_ntlmv1.yml => win_system_lsasrv_ntlmv1.yml} (100%)
 rename rules/windows/builtin/system/{win_mal_creddumper.yml => win_system_mal_creddumper.yml} (100%)
 rename rules/windows/builtin/system/{win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml => win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml} (100%)
 rename rules/windows/builtin/system/{win_moriya_rootkit.yml => win_system_moriya_rootkit.yml} (100%)
 rename rules/windows/builtin/system/{win_ntfs_vuln_exploit.yml => win_system_ntfs_vuln_exploit.yml} (100%)
 rename rules/windows/builtin/system/{win_pcap_drivers.yml => win_system_pcap_drivers.yml} (100%)
 rename rules/windows/builtin/system/{win_possible_zerologon_exploitation_using_wellknown_tools.yml => win_system_possible_zerologon_exploitation_using_wellknown_tools.yml} (100%)
 rename rules/windows/builtin/system/{win_powershell_script_installed_as_service.yml => win_system_powershell_script_installed_as_service.yml} (100%)
 rename rules/windows/builtin/system/{win_quarkspwdump_clearing_hive_access_history.yml => win_system_quarkspwdump_clearing_hive_access_history.yml} (100%)
 rename rules/windows/builtin/system/{win_rare_service_installs.yml => win_system_rare_service_installs.yml} (100%)
 rename rules/windows/builtin/system/{win_rdp_potential_cve_2019_0708.yml => win_system_rdp_potential_cve_2019_0708.yml} (100%)
 rename rules/windows/builtin/system/{win_service_hacktools.yml => win_system_service_hacktools.yml} (100%)
 rename rules/windows/builtin/system/{win_service_install_pdqdeploy.yml => win_system_service_install_pdqdeploy.yml} (100%)
 rename rules/windows/builtin/system/{win_service_install_pdqdeploy_runner.yml => win_system_service_install_pdqdeploy_runner.yml} (100%)
 rename rules/windows/builtin/system/{win_service_install_susp_double_ampersand.yml => win_system_service_install_susp_double_ampersand.yml} (100%)
 rename rules/windows/builtin/system/{win_sliver_service_installs.yml => win_system_sliver_service_installs.yml} (100%)
 rename rules/windows/builtin/system/{win_susp_dhcp_config.yml => win_system_susp_dhcp_config.yml} (100%)
 rename rules/windows/builtin/system/{win_susp_dhcp_config_failed.yml => win_system_susp_dhcp_config_failed.yml} (100%)
 rename rules/windows/builtin/system/{win_susp_proceshacker.yml => win_system_susp_proceshacker.yml} (100%)
 rename rules/windows/builtin/system/{win_susp_rtcore64_service_install.yml => win_system_susp_rtcore64_service_install.yml} (100%)
 rename rules/windows/builtin/system/{win_susp_sam_dump.yml => win_system_susp_sam_dump.yml} (100%)
 rename rules/windows/builtin/system/{win_susp_service_installation.yml => win_system_susp_service_installation.yml} (100%)
 rename rules/windows/builtin/system/{win_susp_service_installation_folder.yml => win_system_susp_service_installation_folder.yml} (100%)
 rename rules/windows/builtin/system/{win_susp_service_installation_folder_pattern.yml => win_system_susp_service_installation_folder_pattern.yml} (100%)
 rename rules/windows/builtin/system/{win_susp_service_installation_script.yml => win_system_susp_service_installation_script.yml} (100%)
 rename rules/windows/builtin/system/{win_susp_system_update_error.yml => win_system_susp_system_update_error.yml} (100%)
 rename rules/windows/builtin/system/{win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml => win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml} (100%)
 rename rules/windows/builtin/system/{win_system_application_sysmon_crash.yml => win_system_system_application_sysmon_crash.yml} (100%)
 rename rules/windows/builtin/system/{win_system_defender_disabled.yml => win_system_system_defender_disabled.yml} (100%)
 rename rules/windows/builtin/system/{win_system_service_installation_by_unusal_client.yml => win_system_system_service_installation_by_unusal_client.yml} (100%)
 rename rules/windows/builtin/system/{win_system_susp_eventlog_cleared.yml => win_system_system_susp_eventlog_cleared.yml} (100%)
 rename rules/windows/builtin/system/{win_tap_driver_installation.yml => win_system_tap_driver_installation.yml} (100%)
 rename rules/windows/builtin/system/{win_tool_psexec.yml => win_system_tool_psexec.yml} (100%)
 rename rules/windows/builtin/system/{win_volume_shadow_copy_mount.yml => win_system_volume_shadow_copy_mount.yml} (100%)
 rename rules/windows/builtin/system/{win_vul_cve_2020_1472.yml => win_system_vul_cve_2020_1472.yml} (100%)
 rename rules/windows/builtin/system/{win_vul_cve_2021_42278_or_cve_2021_42287.yml => win_system_vul_cve_2021_42278_or_cve_2021_42287.yml} (100%)

diff --git a/rules/windows/builtin/system/win_anydesk_service_installation.yml b/rules/windows/builtin/system/win_system_anydesk_service_installation.yml
similarity index 100%
rename from rules/windows/builtin/system/win_anydesk_service_installation.yml
rename to rules/windows/builtin/system/win_system_anydesk_service_installation.yml
diff --git a/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml b/rules/windows/builtin/system/win_system_apt_carbonpaper_turla.yml
similarity index 100%
rename from rules/windows/builtin/system/win_apt_carbonpaper_turla.yml
rename to rules/windows/builtin/system/win_system_apt_carbonpaper_turla.yml
diff --git a/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml b/rules/windows/builtin/system/win_system_apt_chafer_mar18_system.yml
similarity index 100%
rename from rules/windows/builtin/system/win_apt_chafer_mar18_system.yml
rename to rules/windows/builtin/system/win_system_apt_chafer_mar18_system.yml
diff --git a/rules/windows/builtin/system/win_apt_stonedrill.yml b/rules/windows/builtin/system/win_system_apt_stonedrill.yml
similarity index 100%
rename from rules/windows/builtin/system/win_apt_stonedrill.yml
rename to rules/windows/builtin/system/win_system_apt_stonedrill.yml
diff --git a/rules/windows/builtin/system/win_apt_turla_service_png.yml b/rules/windows/builtin/system/win_system_apt_turla_service_png.yml
similarity index 100%
rename from rules/windows/builtin/system/win_apt_turla_service_png.yml
rename to rules/windows/builtin/system/win_system_apt_turla_service_png.yml
diff --git a/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml
similarity index 100%
rename from rules/windows/builtin/system/win_cobaltstrike_service_installs.yml
rename to rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml
diff --git a/rules/windows/builtin/system/win_eventlog_cleared.yml b/rules/windows/builtin/system/win_system_eventlog_cleared.yml
similarity index 100%
rename from rules/windows/builtin/system/win_eventlog_cleared.yml
rename to rules/windows/builtin/system/win_system_eventlog_cleared.yml
diff --git a/rules/windows/builtin/system/win_hack_smbexec.yml b/rules/windows/builtin/system/win_system_hack_smbexec.yml
similarity index 100%
rename from rules/windows/builtin/system/win_hack_smbexec.yml
rename to rules/windows/builtin/system/win_system_hack_smbexec.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_clip_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_clip_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_obfuscated_iex_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_obfuscated_iex_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_stdin_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_stdin_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_var_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_var_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_via_stdin_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml
diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_var_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml
similarity index 100%
rename from rules/windows/builtin/system/win_invoke_obfuscation_via_var_services.yml
rename to rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml
diff --git a/rules/windows/builtin/system/win_krbrelayup_service_installation.yml b/rules/windows/builtin/system/win_system_krbrelayup_service_installation.yml
similarity index 100%
rename from rules/windows/builtin/system/win_krbrelayup_service_installation.yml
rename to rules/windows/builtin/system/win_system_krbrelayup_service_installation.yml
diff --git a/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml
similarity index 100%
rename from rules/windows/builtin/system/win_lpe_indicators_tabtip.yml
rename to rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml
diff --git a/rules/windows/builtin/system/win_lsasrv_ntlmv1.yml b/rules/windows/builtin/system/win_system_lsasrv_ntlmv1.yml
similarity index 100%
rename from rules/windows/builtin/system/win_lsasrv_ntlmv1.yml
rename to rules/windows/builtin/system/win_system_lsasrv_ntlmv1.yml
diff --git a/rules/windows/builtin/system/win_mal_creddumper.yml b/rules/windows/builtin/system/win_system_mal_creddumper.yml
similarity index 100%
rename from rules/windows/builtin/system/win_mal_creddumper.yml
rename to rules/windows/builtin/system/win_system_mal_creddumper.yml
diff --git a/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
similarity index 100%
rename from rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
rename to rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
diff --git a/rules/windows/builtin/system/win_moriya_rootkit.yml b/rules/windows/builtin/system/win_system_moriya_rootkit.yml
similarity index 100%
rename from rules/windows/builtin/system/win_moriya_rootkit.yml
rename to rules/windows/builtin/system/win_system_moriya_rootkit.yml
diff --git a/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml b/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml
similarity index 100%
rename from rules/windows/builtin/system/win_ntfs_vuln_exploit.yml
rename to rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml
diff --git a/rules/windows/builtin/system/win_pcap_drivers.yml b/rules/windows/builtin/system/win_system_pcap_drivers.yml
similarity index 100%
rename from rules/windows/builtin/system/win_pcap_drivers.yml
rename to rules/windows/builtin/system/win_system_pcap_drivers.yml
diff --git a/rules/windows/builtin/system/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/windows/builtin/system/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml
similarity index 100%
rename from rules/windows/builtin/system/win_possible_zerologon_exploitation_using_wellknown_tools.yml
rename to rules/windows/builtin/system/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml
diff --git a/rules/windows/builtin/system/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/system/win_system_powershell_script_installed_as_service.yml
similarity index 100%
rename from rules/windows/builtin/system/win_powershell_script_installed_as_service.yml
rename to rules/windows/builtin/system/win_system_powershell_script_installed_as_service.yml
diff --git a/rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml b/rules/windows/builtin/system/win_system_quarkspwdump_clearing_hive_access_history.yml
similarity index 100%
rename from rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml
rename to rules/windows/builtin/system/win_system_quarkspwdump_clearing_hive_access_history.yml
diff --git a/rules/windows/builtin/system/win_rare_service_installs.yml b/rules/windows/builtin/system/win_system_rare_service_installs.yml
similarity index 100%
rename from rules/windows/builtin/system/win_rare_service_installs.yml
rename to rules/windows/builtin/system/win_system_rare_service_installs.yml
diff --git a/rules/windows/builtin/system/win_rdp_potential_cve_2019_0708.yml b/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml
similarity index 100%
rename from rules/windows/builtin/system/win_rdp_potential_cve_2019_0708.yml
rename to rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml
diff --git a/rules/windows/builtin/system/win_service_hacktools.yml b/rules/windows/builtin/system/win_system_service_hacktools.yml
similarity index 100%
rename from rules/windows/builtin/system/win_service_hacktools.yml
rename to rules/windows/builtin/system/win_system_service_hacktools.yml
diff --git a/rules/windows/builtin/system/win_service_install_pdqdeploy.yml b/rules/windows/builtin/system/win_system_service_install_pdqdeploy.yml
similarity index 100%
rename from rules/windows/builtin/system/win_service_install_pdqdeploy.yml
rename to rules/windows/builtin/system/win_system_service_install_pdqdeploy.yml
diff --git a/rules/windows/builtin/system/win_service_install_pdqdeploy_runner.yml b/rules/windows/builtin/system/win_system_service_install_pdqdeploy_runner.yml
similarity index 100%
rename from rules/windows/builtin/system/win_service_install_pdqdeploy_runner.yml
rename to rules/windows/builtin/system/win_system_service_install_pdqdeploy_runner.yml
diff --git a/rules/windows/builtin/system/win_service_install_susp_double_ampersand.yml b/rules/windows/builtin/system/win_system_service_install_susp_double_ampersand.yml
similarity index 100%
rename from rules/windows/builtin/system/win_service_install_susp_double_ampersand.yml
rename to rules/windows/builtin/system/win_system_service_install_susp_double_ampersand.yml
diff --git a/rules/windows/builtin/system/win_sliver_service_installs.yml b/rules/windows/builtin/system/win_system_sliver_service_installs.yml
similarity index 100%
rename from rules/windows/builtin/system/win_sliver_service_installs.yml
rename to rules/windows/builtin/system/win_system_sliver_service_installs.yml
diff --git a/rules/windows/builtin/system/win_susp_dhcp_config.yml b/rules/windows/builtin/system/win_system_susp_dhcp_config.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_dhcp_config.yml
rename to rules/windows/builtin/system/win_system_susp_dhcp_config.yml
diff --git a/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_dhcp_config_failed.yml
rename to rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml
diff --git a/rules/windows/builtin/system/win_susp_proceshacker.yml b/rules/windows/builtin/system/win_system_susp_proceshacker.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_proceshacker.yml
rename to rules/windows/builtin/system/win_system_susp_proceshacker.yml
diff --git a/rules/windows/builtin/system/win_susp_rtcore64_service_install.yml b/rules/windows/builtin/system/win_system_susp_rtcore64_service_install.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_rtcore64_service_install.yml
rename to rules/windows/builtin/system/win_system_susp_rtcore64_service_install.yml
diff --git a/rules/windows/builtin/system/win_susp_sam_dump.yml b/rules/windows/builtin/system/win_system_susp_sam_dump.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_sam_dump.yml
rename to rules/windows/builtin/system/win_system_susp_sam_dump.yml
diff --git a/rules/windows/builtin/system/win_susp_service_installation.yml b/rules/windows/builtin/system/win_system_susp_service_installation.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_service_installation.yml
rename to rules/windows/builtin/system/win_system_susp_service_installation.yml
diff --git a/rules/windows/builtin/system/win_susp_service_installation_folder.yml b/rules/windows/builtin/system/win_system_susp_service_installation_folder.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_service_installation_folder.yml
rename to rules/windows/builtin/system/win_system_susp_service_installation_folder.yml
diff --git a/rules/windows/builtin/system/win_susp_service_installation_folder_pattern.yml b/rules/windows/builtin/system/win_system_susp_service_installation_folder_pattern.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_service_installation_folder_pattern.yml
rename to rules/windows/builtin/system/win_system_susp_service_installation_folder_pattern.yml
diff --git a/rules/windows/builtin/system/win_susp_service_installation_script.yml b/rules/windows/builtin/system/win_system_susp_service_installation_script.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_service_installation_script.yml
rename to rules/windows/builtin/system/win_system_susp_service_installation_script.yml
diff --git a/rules/windows/builtin/system/win_susp_system_update_error.yml b/rules/windows/builtin/system/win_system_susp_system_update_error.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_system_update_error.yml
rename to rules/windows/builtin/system/win_system_susp_system_update_error.yml
diff --git a/rules/windows/builtin/system/win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml b/rules/windows/builtin/system/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml
similarity index 100%
rename from rules/windows/builtin/system/win_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml
rename to rules/windows/builtin/system/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml
diff --git a/rules/windows/builtin/system/win_system_application_sysmon_crash.yml b/rules/windows/builtin/system/win_system_system_application_sysmon_crash.yml
similarity index 100%
rename from rules/windows/builtin/system/win_system_application_sysmon_crash.yml
rename to rules/windows/builtin/system/win_system_system_application_sysmon_crash.yml
diff --git a/rules/windows/builtin/system/win_system_defender_disabled.yml b/rules/windows/builtin/system/win_system_system_defender_disabled.yml
similarity index 100%
rename from rules/windows/builtin/system/win_system_defender_disabled.yml
rename to rules/windows/builtin/system/win_system_system_defender_disabled.yml
diff --git a/rules/windows/builtin/system/win_system_service_installation_by_unusal_client.yml b/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml
similarity index 100%
rename from rules/windows/builtin/system/win_system_service_installation_by_unusal_client.yml
rename to rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml
diff --git a/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/system/win_system_system_susp_eventlog_cleared.yml
similarity index 100%
rename from rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml
rename to rules/windows/builtin/system/win_system_system_susp_eventlog_cleared.yml
diff --git a/rules/windows/builtin/system/win_tap_driver_installation.yml b/rules/windows/builtin/system/win_system_tap_driver_installation.yml
similarity index 100%
rename from rules/windows/builtin/system/win_tap_driver_installation.yml
rename to rules/windows/builtin/system/win_system_tap_driver_installation.yml
diff --git a/rules/windows/builtin/system/win_tool_psexec.yml b/rules/windows/builtin/system/win_system_tool_psexec.yml
similarity index 100%
rename from rules/windows/builtin/system/win_tool_psexec.yml
rename to rules/windows/builtin/system/win_system_tool_psexec.yml
diff --git a/rules/windows/builtin/system/win_volume_shadow_copy_mount.yml b/rules/windows/builtin/system/win_system_volume_shadow_copy_mount.yml
similarity index 100%
rename from rules/windows/builtin/system/win_volume_shadow_copy_mount.yml
rename to rules/windows/builtin/system/win_system_volume_shadow_copy_mount.yml
diff --git a/rules/windows/builtin/system/win_vul_cve_2020_1472.yml b/rules/windows/builtin/system/win_system_vul_cve_2020_1472.yml
similarity index 100%
rename from rules/windows/builtin/system/win_vul_cve_2020_1472.yml
rename to rules/windows/builtin/system/win_system_vul_cve_2020_1472.yml
diff --git a/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml b/rules/windows/builtin/system/win_system_vul_cve_2021_42278_or_cve_2021_42287.yml
similarity index 100%
rename from rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml
rename to rules/windows/builtin/system/win_system_vul_cve_2021_42278_or_cve_2021_42287.yml